svamp-cli 0.1.47 → 0.1.49

package/dist/cli.mjs

@@ -1,4 +1,4 @@
-import { b as stopDaemon, s as startDaemon, d as daemonStatus } from './run-Ckyg9-fm.mjs';
+import { b as stopDaemon, s as startDaemon, d as daemonStatus } from './run-CE4H8ZiN.mjs';
 import 'os';
 import 'fs/promises';
 import 'fs';
@@ -105,12 +105,15 @@ async function main() {
     await handleMachineCommand();
   } else if (subcommand === "skills") {
     await handleSkillsCommand();
+  } else if (subcommand === "service" || subcommand === "svc") {
+    const { handleServiceCommand } = await import('./commands-DlPBC5p0.mjs').then(function (n) { return n.c; });
+    await handleServiceCommand();
   } else if (subcommand === "--help" || subcommand === "-h") {
     printHelp();
   } else if (!subcommand || subcommand === "start") {
     await handleInteractiveCommand();
   } else if (subcommand === "--version" || subcommand === "-v") {
-    const pkg = await import('./package-DG0AkZdm.mjs').catch(() => ({ default: { version: "unknown" } }));
+    const pkg = await import('./package-BYUO-39f.mjs').catch(() => ({ default: { version: "unknown" } }));
     console.log(`svamp version: ${pkg.default.version}`);
   } else {
     console.error(`Unknown command: ${subcommand}`);
@@ -119,7 +122,7 @@ async function main() {
   }
 }
 async function handleInteractiveCommand() {
-  const { runInteractive } = await import('./run-6dwQnoBL.mjs');
+  const { runInteractive } = await import('./run-CtJRxaFC.mjs');
   const interactiveArgs = subcommand === "start" ? args.slice(1) : args;
   let directory = process.cwd();
   let resumeSessionId;
@@ -164,7 +167,7 @@ async function handleAgentCommand() {
     return;
   }
   if (agentArgs[0] === "list") {
-    const { KNOWN_ACP_AGENTS, KNOWN_MCP_AGENTS: KNOWN_MCP_AGENTS2 } = await import('./run-Ckyg9-fm.mjs').then(function (n) { return n.i; });
+    const { KNOWN_ACP_AGENTS, KNOWN_MCP_AGENTS: KNOWN_MCP_AGENTS2 } = await import('./run-CE4H8ZiN.mjs').then(function (n) { return n.i; });
     console.log("Known agents:");
     for (const [name, config2] of Object.entries(KNOWN_ACP_AGENTS)) {
       console.log(`  ${name.padEnd(12)} ${config2.command} ${config2.args.join(" ")}  (ACP)`);
@@ -176,7 +179,7 @@ async function handleAgentCommand() {
     console.log('Use "svamp agent -- <command> [args]" for a custom ACP agent.');
     return;
   }
-  const { resolveAcpAgentConfig, KNOWN_MCP_AGENTS } = await import('./run-Ckyg9-fm.mjs').then(function (n) { return n.i; });
+  const { resolveAcpAgentConfig, KNOWN_MCP_AGENTS } = await import('./run-CE4H8ZiN.mjs').then(function (n) { return n.i; });
   let cwd = process.cwd();
   const filteredArgs = [];
   for (let i = 0; i < agentArgs.length; i++) {
@@ -200,12 +203,12 @@ async function handleAgentCommand() {
   console.log(`Starting ${config.agentName} agent in ${cwd}...`);
   let backend;
   if (KNOWN_MCP_AGENTS[config.agentName]) {
-    const { CodexMcpBackend } = await import('./run-Ckyg9-fm.mjs').then(function (n) { return n.j; });
+    const { CodexMcpBackend } = await import('./run-CE4H8ZiN.mjs').then(function (n) { return n.j; });
     backend = new CodexMcpBackend({ cwd, log: logFn });
   } else {
-    const { AcpBackend } = await import('./run-Ckyg9-fm.mjs').then(function (n) { return n.h; });
-    const { GeminiTransport } = await import('./run-Ckyg9-fm.mjs').then(function (n) { return n.G; });
-    const { DefaultTransport } = await import('./run-Ckyg9-fm.mjs').then(function (n) { return n.D; });
+    const { AcpBackend } = await import('./run-CE4H8ZiN.mjs').then(function (n) { return n.h; });
+    const { GeminiTransport } = await import('./run-CE4H8ZiN.mjs').then(function (n) { return n.G; });
+    const { DefaultTransport } = await import('./run-CE4H8ZiN.mjs').then(function (n) { return n.D; });
     const transportHandler = config.agentName === "gemini" ? new GeminiTransport() : new DefaultTransport(config.agentName);
     backend = new AcpBackend({
       agentName: config.agentName,
@@ -323,7 +326,7 @@ async function handleSessionCommand() {
     printSessionHelp();
     return;
   }
-  const { sessionList, sessionSpawn, sessionStop, sessionInfo, sessionMessages, sessionAttach, sessionMachines, sessionSend, sessionWait, sessionShare, sessionRalphStart, sessionRalphCancel, sessionRalphStatus, sessionQueueAdd, sessionQueueList, sessionQueueClear } = await import('./commands-DsIoygTL.mjs');
+  const { sessionList, sessionSpawn, sessionStop, sessionInfo, sessionMessages, sessionAttach, sessionMachines, sessionSend, sessionWait, sessionShare, sessionRalphStart, sessionRalphCancel, sessionRalphStatus, sessionQueueAdd, sessionQueueList, sessionQueueClear } = await import('./commands-D1brd9fB.mjs');
   const parseFlagStr = (flag, shortFlag) => {
     for (let i = 1; i < sessionArgs.length; i++) {
       if ((sessionArgs[i] === flag || shortFlag) && i + 1 < sessionArgs.length) {
@@ -357,13 +360,21 @@ async function handleSessionCommand() {
     }
     const message = parseFlagStr("--message");
     const wait = hasFlag("--wait");
+    const worktree = hasFlag("--worktree");
     const isolate = hasFlag("--isolate");
+    const permissionMode = parseFlagStr("--permission-mode") || parseFlagStr("-p");
     const securityContextPath = parseFlagStr("--security-context");
     const denyNetwork = hasFlag("--deny-network");
+    const parentSessionId = parseFlagStr("--parent");
+    const tagsFlag = parseFlagStr("--tags");
     const share = [];
     const denyRead = [];
     const allowWrite = [];
     const allowDomain = [];
+    const tags = [];
+    if (tagsFlag) {
+      tags.push(...tagsFlag.split(",").map((t) => t.trim()).filter(Boolean));
+    }
     for (let i = 1; i < sessionArgs.length; i++) {
       if (sessionArgs[i] === "--share" && i + 1 < sessionArgs.length) {
         share.push(sessionArgs[++i]);
@@ -375,18 +386,22 @@ async function handleSessionCommand() {
         allowDomain.push(sessionArgs[++i]);
       }
     }
-    const { parseShareArg } = await import('./commands-DsIoygTL.mjs');
+    const { parseShareArg } = await import('./commands-D1brd9fB.mjs');
     const shareEntries = share.map((s) => parseShareArg(s));
     await sessionSpawn(agent, dir, targetMachineId, {
       message,
       wait,
+      worktree,
       isolate,
+      permissionMode,
       securityContextPath,
       share: shareEntries.length > 0 ? shareEntries : void 0,
       denyRead: denyRead.length > 0 ? denyRead : void 0,
       allowWrite: allowWrite.length > 0 ? allowWrite : void 0,
       denyNetwork,
-      allowDomain: allowDomain.length > 0 ? allowDomain : void 0
+      allowDomain: allowDomain.length > 0 ? allowDomain : void 0,
+      tags: tags.length > 0 ? tags : void 0,
+      parentSessionId
     });
   } else if (sessionSubcommand === "stop") {
     if (!sessionArgs[1]) {
@@ -404,12 +419,13 @@ async function handleSessionCommand() {
     });
   } else if (sessionSubcommand === "messages" || sessionSubcommand === "msgs") {
     if (!sessionArgs[1]) {
-      console.error("Usage: svamp session messages <session-id> [--last N] [--json] [--after N] [--limit N]");
+      console.error("Usage: svamp session messages <session-id> [--last N] [--json] [--raw] [--after N] [--limit N]");
       process.exit(1);
     }
     await sessionMessages(sessionArgs[1], targetMachineId, {
       last: parseFlagInt("--last"),
       json: hasFlag("--json"),
+      raw: hasFlag("--raw"),
       after: parseFlagInt("--after"),
       limit: parseFlagInt("--limit")
     });
@@ -431,11 +447,12 @@ async function handleSessionCommand() {
     });
   } else if (sessionSubcommand === "wait") {
     if (!sessionArgs[1]) {
-      console.error("Usage: svamp session wait <session-id> [--timeout N]");
+      console.error("Usage: svamp session wait <session-id> [--timeout N] [--json]");
       process.exit(1);
     }
     await sessionWait(sessionArgs[1], targetMachineId, {
-      timeout: parseFlagInt("--timeout")
+      timeout: parseFlagInt("--timeout"),
+      json: hasFlag("--json")
     });
   } else if (sessionSubcommand === "share") {
     if (!sessionArgs[1]) {
@@ -448,14 +465,35 @@ async function handleSessionCommand() {
       list: hasFlag("--list"),
       public: parseFlagStr("--public")
     });
+  } else if (sessionSubcommand === "approve") {
+    if (!sessionArgs[1]) {
+      console.error("Usage: svamp session approve <session-id> [request-id] [--json]");
+      process.exit(1);
+    }
+    const { sessionApprove } = await import('./commands-D1brd9fB.mjs');
+    const approveReqId = sessionArgs[2] && !sessionArgs[2].startsWith("--") ? sessionArgs[2] : void 0;
+    await sessionApprove(sessionArgs[1], approveReqId, targetMachineId, {
+      json: hasFlag("--json")
+    });
+  } else if (sessionSubcommand === "deny") {
+    if (!sessionArgs[1]) {
+      console.error("Usage: svamp session deny <session-id> [request-id] [--json]");
+      process.exit(1);
+    }
+    const { sessionDeny } = await import('./commands-D1brd9fB.mjs');
+    const denyReqId = sessionArgs[2] && !sessionArgs[2].startsWith("--") ? sessionArgs[2] : void 0;
+    await sessionDeny(sessionArgs[1], denyReqId, targetMachineId, {
+      json: hasFlag("--json")
+    });
   } else if (sessionSubcommand === "ralph-start" || sessionSubcommand === "ralph") {
     if (!sessionArgs[1] || !sessionArgs[2]) {
-      console.error('Usage: svamp session ralph-start <session-id> "<task>" [--completion-promise TEXT] [--max-iterations N]');
+      console.error('Usage: svamp session ralph-start <session-id> "<task>" [--completion-promise TEXT] [--max-iterations N] [--cooldown N]');
       process.exit(1);
     }
     await sessionRalphStart(sessionArgs[1], sessionArgs[2], targetMachineId, {
       completionPromise: parseFlagStr("--completion-promise"),
-      maxIterations: parseFlagInt("--max-iterations")
+      maxIterations: parseFlagInt("--max-iterations"),
+      cooldownSeconds: parseFlagInt("--cooldown")
     });
   } else if (sessionSubcommand === "ralph-cancel") {
     if (!sessionArgs[1]) {
@@ -508,7 +546,7 @@ async function handleMachineCommand() {
     return;
   }
   if (machineSubcommand === "share") {
-    const { machineShare } = await import('./commands-DsIoygTL.mjs');
+    const { machineShare } = await import('./commands-D1brd9fB.mjs');
     let machineId;
     const shareArgs = [];
     for (let i = 1; i < machineArgs.length; i++) {
@@ -537,6 +575,50 @@ async function handleMachineCommand() {
       }
     }
     await machineShare(machineId, { add, remove, list, configPath, showConfig });
+  } else if (machineSubcommand === "exec") {
+    const { machineExec } = await import('./commands-D1brd9fB.mjs');
+    let machineId;
+    let cwd;
+    const cmdParts = [];
+    for (let i = 1; i < machineArgs.length; i++) {
+      if ((machineArgs[i] === "--machine" || machineArgs[i] === "-m") && i + 1 < machineArgs.length) {
+        machineId = machineArgs[++i];
+      } else if (machineArgs[i] === "--cwd" && i + 1 < machineArgs.length) {
+        cwd = machineArgs[++i];
+      } else {
+        cmdParts.push(machineArgs[i]);
+      }
+    }
+    const command = cmdParts.join(" ");
+    if (!command) {
+      console.error("Usage: svamp machine exec <command> [--cwd <path>] [-m <id>]");
+      process.exit(1);
+    }
+    await machineExec(machineId, command, cwd);
+  } else if (machineSubcommand === "info") {
+    const { machineInfo } = await import('./commands-D1brd9fB.mjs');
+    let machineId;
+    for (let i = 1; i < machineArgs.length; i++) {
+      if ((machineArgs[i] === "--machine" || machineArgs[i] === "-m") && i + 1 < machineArgs.length) {
+        machineId = machineArgs[++i];
+      }
+    }
+    await machineInfo(machineId);
+  } else if (machineSubcommand === "ls") {
+    const { machineLs } = await import('./commands-D1brd9fB.mjs');
+    let machineId;
+    let showHidden = false;
+    let path;
+    for (let i = 1; i < machineArgs.length; i++) {
+      if ((machineArgs[i] === "--machine" || machineArgs[i] === "-m") && i + 1 < machineArgs.length) {
+        machineId = machineArgs[++i];
+      } else if (machineArgs[i] === "--hidden" || machineArgs[i] === "-a") {
+        showHidden = true;
+      } else if (!path) {
+        path = machineArgs[i];
+      }
+    }
+    await machineLs(machineId, path, showHidden);
   } else {
     console.error(`Unknown machine command: ${machineSubcommand}`);
     printMachineHelp();
@@ -551,7 +633,7 @@ async function handleSkillsCommand() {
     printSkillsHelp();
     return;
   }
-  const { skillsFind, skillsInstall, skillsList, skillsRemove, skillsPublish } = await import('./commands-BEhSQqTp.mjs');
+  const { skillsFind, skillsInstall, skillsList, skillsRemove, skillsPublish } = await import('./commands-6EyqaoCp.mjs');
   if (skillsSubcommand === "find" || skillsSubcommand === "search") {
     const query = skillsArgs.slice(1).filter((a) => !a.startsWith("--")).join(" ");
     if (!query) {
@@ -898,28 +980,37 @@ function printHelp() {
 svamp \u2014 AI workspace on Hypha Cloud
 
 Usage:
-  svamp                      Start interactive Claude session (synced to cloud)
-  svamp start [-d <path>]    Same as above, with explicit directory
-  svamp login [url]          Login to Hypha (opens browser, stores token)
-  svamp daemon start         Start the daemon (detached)
-  svamp daemon stop          Stop the daemon (sessions preserved for restart)
-  svamp daemon restart       Restart the daemon (sessions resume seamlessly)
-  svamp daemon status        Show daemon status
-  svamp daemon install       Install as system service (launchd/systemd/wrapper)
-  svamp session list         List active sessions
-  svamp session spawn        Spawn a new session on the daemon
-  svamp session share <id>   Manage session sharing
-  svamp session attach <id>  Attach to a session
-  svamp session --help       Show all session commands
-  svamp machine share        Manage machine sharing & security contexts
-  svamp machine --help       Show all machine commands
-  svamp skills find <query>  Search the skills marketplace
-  svamp skills install <n>   Install a skill from the marketplace
-  svamp skills --help        Show all skill commands
-  svamp agent list           List known agents
-  svamp agent <name>         Start local agent session (gemini, codex)
-  svamp --version            Show version
-  svamp --help               Show this help
+  svamp                        Start interactive Claude session (synced to cloud)
+  svamp start [-d <path>]      Same as above, with explicit directory
+  svamp login [url]            Login to Hypha (opens browser, stores token)
+  svamp daemon start           Start the daemon (detached)
+  svamp daemon stop            Stop the daemon (sessions preserved for restart)
+  svamp daemon restart         Restart the daemon (sessions resume seamlessly)
+  svamp daemon status          Show daemon status
+  svamp daemon install         Install as system service (launchd/systemd/wrapper)
+  svamp session list           List active sessions
+  svamp session spawn          Spawn a new session on the daemon
+  svamp session send <id> <m>  Send message to a session
+  svamp session wait <id>      Wait for agent to become idle
+  svamp session info <id>      Show session status & pending permissions
+  svamp session messages <id>  Show message history
+  svamp session approve <id>   Approve pending permission request
+  svamp session deny <id>      Deny pending permission request
+  svamp session attach <id>    Attach to a session (interactive terminal)
+  svamp session share <id>     Manage session sharing
+  svamp session --help         Show all session commands
+  svamp machine share          Manage machine sharing & security contexts
+  svamp machine --help         Show all machine commands
+  svamp skills find <query>    Search the skills marketplace
+  svamp skills install <n>     Install a skill from the marketplace
+  svamp skills --help          Show all skill commands
+  svamp service expose <name>  Expose a service from this sandbox
+  svamp service list           List service groups
+  svamp service --help         Show all service commands
+  svamp agent list             List known agents
+  svamp agent <name>           Start local agent session (gemini, codex)
+  svamp --version              Show version
+  svamp --help                 Show this help
 
 Interactive mode:
   When you run 'svamp' with no arguments, Claude starts in your terminal
@@ -954,19 +1045,75 @@ function printSessionHelp() {
   console.log(`
 svamp session \u2014 Manage daemon sessions (Claude, Gemini, Codex)
 
-Usage:
-  svamp session list [--active] [--json]                     List sessions (alias: ls)
-  svamp session machines                                      List discoverable machines
-  svamp session spawn <agent> [-d <path>] [--message <msg>] [--wait]
-                                                              Spawn a new session
-  svamp session stop <id>                                     Stop a session
-  svamp session info <id> [--json]                           Show session metadata + activity
+Commands:
+  svamp session list [--active] [--json]                       List sessions (alias: ls)
+  svamp session machines                                        List discoverable machines
+  svamp session spawn <agent> [-d <path>] [options]            Spawn a new session
+  svamp session stop <id>                                       Stop a session
+  svamp session info <id> [--json]                             Show status, activity & pending permissions
   svamp session send <id> <message> [--wait] [--timeout N] [--json]
-                                                              Send a message to a session
-  svamp session wait <id> [--timeout N]                      Wait for agent to become idle
-  svamp session messages <id> [--last N] [--json] [--after N] [--limit N]
-                                                              Show messages (alias: msgs)
-  svamp session attach <id>                                   Attach to session (interactive)
+                                                                Send a message to a session
+  svamp session wait <id> [--timeout N] [--json]               Wait for agent to become idle
+  svamp session messages <id> [--last N] [--json] [--raw] [--after N] [--limit N]
+                                                                Show messages (alias: msgs)
+  svamp session attach <id>                                     Attach to session (interactive terminal)
+  svamp session approve <id> [request-id] [--json]             Approve pending permission(s)
+  svamp session deny <id> [request-id] [--json]                Deny pending permission(s)
+
+Spawn options:
+  -d, --directory <path>          Working directory (default: cwd)
+  -p, --permission-mode <mode>    Agent permission mode (see "Permission modes" below)
+  --message <msg>                 Send initial message after spawn
+  --wait                          Wait for agent to become idle before returning
+  --worktree                      Create a git worktree branch (at .dev/worktree/<name>)
+  --isolate                       Force OS-level sandbox isolation
+  --security-context <path>       Apply security context config (JSON file)
+  --share <email>[:<role>]        Share with user (repeatable). Role: view, interact, admin
+  --deny-network                  Block all network access
+  --deny-read <path>              Deny reading path (repeatable)
+  --allow-write <path>            Allow writing path (repeatable)
+  --allow-domain <domain>         Allow network domain (repeatable)
+
+Permission modes (-p, --permission-mode):
+  default              Prompt for each tool use (default)
+  acceptEdits          Auto-approve file edits, prompt for bash/dangerous tools
+  bypassPermissions    Auto-approve all tools (no prompts)
+
+Permission workflow:
+  When an agent runs with 'default' or 'acceptEdits' permission mode, it pauses
+  when it needs to use a tool that requires approval. Use these commands to manage:
+
+  1. Check status:    svamp session info <id> --json
+                      \u2192 shows pendingPermissions array when agent is blocked
+  2. Wait & detect:   svamp session wait <id> --json
+                      \u2192 exits with code 2 if permission pending (see exit codes)
+  3. Approve:         svamp session approve <id>          (approve all pending)
+                      svamp session approve <id> <rid>    (approve specific request)
+  4. Deny:            svamp session deny <id>             (deny all pending)
+                      svamp session deny <id> <rid>       (deny specific request)
+
+  Request IDs support prefix matching (e.g., "abc1" matches "abc12345-...").
+
+Messages options:
+  --last N       Show only the last N messages
+  --after N      Start after sequence number N
+  --limit N      Max messages to fetch from server (default: 1000, cap: 500 per page)
+  --json         Output as JSON (FormattedMessage: id, seq, role, text, createdAt)
+  --raw          With --json: output full raw message objects (includes tool_use args,
+                 tool_result content, thinking blocks \u2014 use for programmatic parsing)
+
+Exit codes (wait, send --wait, spawn --wait):
+  0   Agent is idle (task completed)
+  1   Error (timeout, connection failure, session not found)
+  2   Agent is waiting for permission approval \u2014 use approve/deny to continue
+
+Global options:
+  --machine <id>, -m <id>  Target a specific machine (prefix match supported)
+
+Agents: claude (default), gemini, codex
+Session and machine IDs support prefix matching (e.g., "abc1" matches "abc12345-...").
+
+Sharing:
   svamp session share <id> --list                            List shared users
   svamp session share <id> --add <email>[:<role>]            Share with user
   svamp session share <id> --remove <email>                  Remove shared user
@@ -975,6 +1122,10 @@ Usage:
 Options:
   --machine <id>, -m <id>  Target a specific machine (prefix match supported)
 
+Spawn options:
+  -p, --permission-mode <mode>  Agent permission mode: default, acceptEdits, bypassPermissions
+  --worktree                    Create a git worktree branch as working directory
+
 Spawn isolation options:
   --share <email>[:<role>]    Share session (repeatable). Role: view, interact, admin
   --security-context <path>   Path to security context JSON config file
@@ -984,39 +1135,57 @@ Spawn isolation options:
   --deny-network              Deny all network access
   --allow-domain <domain>     Allow network access to domain (repeatable)
 
+Spawn grouping options:
+  --tags <tag1,tag2>          Comma-separated tags
+  --parent <sessionId>        Set parent session (auto-detected from SVAMP_SESSION_ID)
+
 Agents: claude (default), gemini, codex
 
 Session and machine IDs can be abbreviated (prefix match, like Docker).
 
+NOTE: By default, spawned agents run with 'default' permission mode, which means
+the agent may pause to request permission for tool use (file edits, bash, etc.).
+Use -p bypassPermissions to run without approval prompts.
+
 Attach commands:
   /quit, /detach    Detach (session keeps running)
   /abort, /cancel   Cancel current agent turn
   /kill             Stop the session
   /info             Show session status
 
+Ralph Loop (iterative task automation):
+  svamp session ralph-start <id> "<task>" [--completion-promise TEXT] [--max-iterations N] [--cooldown N]
+  svamp session ralph-cancel <id>
+  svamp session ralph-status <id>
+  (alias: svamp session ralph <id> "<task>" ...)
+
+Message Queue:
+  svamp session queue add <id> "<message>"
+  svamp session queue list <id>
+  svamp session queue clear <id>
+
 Examples:
-  svamp session spawn claude -d ~/projects/myapp --message "Fix the bug" --wait
-  svamp session spawn claude -d /tmp/sandbox --isolate --deny-network
-  svamp session spawn claude -d /tmp/proj --share alice@example.com:admin --deny-read /etc
-  svamp session spawn claude --security-context ./security.json
-  svamp session share abc12345 --add bob@example.com:view
-  svamp session share abc12345 --public view
-  svamp session share abc12345 --list
+  # Spawn with bypassed permissions (no prompts)
+  svamp session spawn claude -d ./proj -p bypassPermissions --message "fix tests" --wait
 
-Ralph Loop (iterative task loop):
-  svamp session ralph-start <id> "<task>" [--completion-promise TEXT] [--max-iterations N]
-                                                              Start a Ralph loop
-  svamp session ralph-cancel <id>                             Cancel active Ralph loop
-  svamp session ralph-status <id>                             Show Ralph loop status
+  # Spawn with default permissions, handle approval via CLI
+  svamp session spawn claude -d ./proj --message "refactor auth"
+  svamp session wait abc1 --json           # exits with code 2 if permission pending
+  svamp session approve abc1               # approve all pending permissions
+  svamp session wait abc1                  # wait for completion
 
-Message Queue:
-  svamp session queue add <id> "<message>"                    Add message to queue
-  svamp session queue list <id>                               List queued messages
-  svamp session queue clear <id>                              Clear the queue
+  # Monitor session messages (raw for full tool details)
+  svamp session messages abc1 --last 10 --json --raw
 
-Ralph Loop Examples:
-  svamp session ralph-start abc12 "Fix all linting errors" --completion-promise "All linting errors fixed" --max-iterations 10
-  svamp session ralph-cancel abc12
+  # Send message and wait for completion
+  svamp session send abc1 "run the tests" --wait --json
+
+  # Isolation & sharing
+  svamp session spawn claude -d /tmp/sandbox --isolate --deny-network
+  svamp session spawn claude -d /tmp/proj --share alice@example.com:admin
+
+  # Ralph Loop
+  svamp session ralph-start abc1 "Fix all linting errors" --max-iterations 10
 `);
 }
 function printMachineHelp() {
@@ -1024,6 +1193,9 @@ function printMachineHelp() {
 svamp machine \u2014 Machine management
 
 Usage:
+  svamp machine info                                 Show machine info & status
+  svamp machine exec <command> [--cwd <path>]        Run command on machine
+  svamp machine ls [path] [--hidden]                 List directory on machine
   svamp machine share --list                         List shared users
   svamp machine share --add <email>[:<role>]         Share machine with user
   svamp machine share --remove <email>               Remove shared user
@@ -1032,28 +1204,17 @@ Usage:
 
 Options:
   --machine <id>, -m <id>  Target a specific machine (prefix match supported)
-
-Security context config file format (JSON):
-  {
-    "default": {
-      "role": "interact",
-      "filesystem": { "denyRead": ["/etc/shadow"], "denyWrite": ["/usr"] },
-      "network": { "allowedDomains": ["api.anthropic.com"] }
-    },
-    "users": {
-      "alice@example.com": { "role": "admin" },
-      "bob@example.com": { "role": "view", "denyAllNetwork": true }
-    }
-  }
-
-The "default" entry applies to all users. Per-user entries override defaults.
-Machine-level config is merged with session-level config at spawn time.
+  --cwd <path>             Working directory for exec (default: home dir)
+  --hidden, -a             Show hidden files in ls
 
 Examples:
+  svamp machine info
+  svamp machine exec "ls -la /tmp"
+  svamp machine exec "df -h" -m cloud-box --cwd /
+  svamp machine ls /home/user/projects
+  svamp machine ls --hidden -m cloud-box
   svamp machine share --add alice@example.com:admin
   svamp machine share --config ./security-context.json
-  svamp machine share --show-config
-  svamp machine share --list
 `);
 }
 function printSkillsHelp() {